Attack Tree Origins

Attack trees appear to have evolved from other types of decision tree diagrams, especially
fault trees. This gradual development process, combined with the fact that much of the
original research took place in classified environments, has made it difficult to identify the
precise moment in time when attack trees were invented.

In 1994, Edward Amoroso's book Fundamentals of Computer Security Technology described
threat trees, a tree structure very similar to attack trees. By the late 1990s
papers were beginning to appear describing the attack tree analysis process in some detail.
For instance, in the 1998 paper Toward a Secure System Engineering Methodology
(http://www.schneier.com/paper-secure-methodology.pdf),
the authors describe a mature,
attack tree-based approach to analyzing risk. The paper stated that "This paper is based
on research done by a working group sponsored by the National Security Agency." Indeed, two
of the paper's authors (Chris Salter and Jim Wallner) are identified as NSA employees.
A third (O. Sami Saydjari) worked for DARPA. Since it usually takes a period of time for
research from within classified environments to appear in non-restricted forums this would
seem to indicate that the intelligence community had been involved in attack tree research
for some time. We speculate that attack trees were invented by the NSA in the late 1980s or
early 1990s. We know of no relationship between Edward Amoroso (of Bell Labs) and the NSA and
believe he worked independently to invent attack trees.

The fourth author of the Toward a Secure System Engineering Methodology paper was
the eminent cryptographer and security researcher, Bruce Schneier. In the late 1990s Schneier
gave numerous talks and presentations at security conferences on attack tree analysis. His
efforts were invaluable in educating the security community about attack trees.